OS X Patches, Secunia Stats

Yesterday, Apple patched the DNS bug everyone was so worried about a few days ago (because some security researcher got ticked off that his name hadn’t been mentioned in dispatches). Time to revisit the whole “Mac OS X is less secure than we think” meme.

Remember, this is all versions of OS X since January 2003 vs. Windows Vista. (If I wanted to be nasty, I’d show the graphs for Windows XP Professional, various versions of Office, etc.. (At least Secunia has stopped treating each Microsoft SKU as a different platform.)

According to Secunia*, the most severe flaw in OS X in the last couple of years is this. If you’d like to skip reading it, the basic idea is this — there was a bug in Apple’s zip utility that would execute a specially tailored payload in a zip archive. So if you were using Safari with default preference settings and you clicked a link, the zip archive would download to your hard disk, get decompressed, and — potentially — arbitrary code could execute. Note that this is not a “Trojan Horse” in the sense that you don’t need to type in a password or deliberately do anything except click a link in a web page, so this is pretty severe.

This is rated by Secunia as extremely critical — do you ever get the feeling that security researchers should be given a free thesaurus? — (“5” on their 5 point scale), even though (1) it requires some user action (it’s not like port vulnerabilities in Windows which allowed worms like BLASTER to simply take over a PC as soon as it was hooked up to the internet) and (2) there are no known instances in the wild.

Windows XP and Vista have a bunch of vulnerabilities rated highly critical (4/5) which are equally nasty. E.g. buffer overflows in the way Windows handled images in web pages that could cause arbitrary code execution. Casual user activity (browsing pages) could, theoretically, result in arbitrary code execution in user space. Apparently, for a problem of this severity to be rated extremely critical for Windows there need to be known examples in the wild.

Presumably, a vulnerability on the Mac requiring zero user action which obtained root access and had instances in the wild would rate mindbogglingly critical (8/5) on Secunia’s scale for consistency. I guess when there’s finally a worm out there that can compromise Macs, heads will explode.

* Why do I keep using Secunia? Because as security research firms go, they’re not quite as grotesquely anti-Mac as typical, and they offer links to embed live versions of their graphs.

Post Script

Apple’s patch doesn’t fix the DNS bug properly. It’s worth noting that this is only going to hurt servers (since most people don’t use OS X desktops as DNS servers, and indeed it’s not switched on by default) so technically this is a server bug. Still, it needs fixing and it’s another misstep by Apple (along with the whole MobileMe fiasco) in a short period.

Post Post Script

Also note that Apple’s initial patch did fix the vulnerability in OS X server (and, apparently, in server-like devices such as Airport Extreme), so basically all the whining was about nothing. It’s one thing to conflate OS X (desktop) with OS X (server) in counting bugs, and another to complain about OS X having an unpatched defect in a service that’s turned off by default and very few people would have switched on.